[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Adding revised identities to IKEv2
In your previous mail you wrote:
If I'm understanding Francis correctly, I think I
agree. Identity should not be bound up with IP
addresses where the credential does not otherwise
require it, cf x.509, kerberos, etc. The general
flow on the incoming side should be:
=> my message was about IKE itself, not IPsec... But IPsec
is another example of ACL-like validation because only some
transforms/modes provide integrity check over addresses
(something stronger than the check against SA/SPD selectors).
Regards
Francis.Dupont@enst-bretagne.fr